webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Shift It Right, Too?
July 09, 2019
"Shift Left" has become an ever-present meme amongst DevOps and the security folk concerned about or working with DevOps. To "shift left" means to attend to something as early in development as possible, based on the assumption of left-to-right mapping of development activities.
Whether the activity is design, testing, or even operational activities, timeliness provides benefit. Obviously, the earlier we attend to security fixes, or really, any issues, the better.
Much data has been assembled about the benefits of finding and fixing bugs as early as possible; there should be little controversy about the efficacy of "shifting fixes left." At the heart of "shift left" is preparedness, planning, and appropriate timing of activities, all of which are signs of a mature development process. And, to my mind, these values are part of the DevOps revolution as teams break down artificial role boundaries and convert operational tasks into code.
Secure design's place has been at the "right side" of development, that is, early in the process, before designs are baked and it becomes too late to build security needs as a part of building software. Numerous Secure Development Life cycles (SDL or S-SDLC) and security standards explicitly place tasks like architecture risk assessment (ARA) and threat modeling early during development. This is not new: one of the first standards describing early security requirements is NIST 800-14, published in 1996! Though many organizations still struggle to identify security requirements early enough, there should be little doubt about the need to start designing security early in a development process. Importantly for this discussion, these critical design activities have typically been seen as right-side (early) only, or worse, single, point-in-time activities.
Experience, especially with iterative development approaches, has taught me that seeing design as only right-side (beginning), or worse, a point-in-time task is a mistake, as equally destructive as late-cycle security tests, or worse, identifying security needs after software has been built.
Once we start thinking iteratively, it becomes clear that point-in-time SDL tasks are more likely to gum up the works, to become an impediment because security isn't matching the way that software is built. Often, several development tasks are taking place in parallel. Among these will be:
■ Refine architecture
■ Specify design
■ Draft code
■ Test
■ Release software
■ Ongoing sustainment and operations
The above activities quite often all occur simultaneously. Each activity has particular security responsibilities which are best executed as a part of that portion of the work. Threat models must be refined as architecture is solidified; security requirements must be specified as part of designs; code is best checked for security errors as it's drafted; obviously, security is something that must be proved right along with everything else that's been implemented.
In fact, in my humble experience, allowing threat models to iterate leaves room for security requirements to improve just like the code is expected to improve through iterative development methods like Agile.
We might say, "shift secure design right," in comparison to "shift security left." But that doesn't really capture the spirit of iteration, continuous delivery, or DevOps, to my thinking.
Would it be more precise to say, "continuous security"? Thinking about security as a continuous process fits well with Continuous Integration/Continuous Delivery (CI/CD) and Agile models. Though, perhaps "continuous security" is less meme-worthy?
Let me at least point out the trouble that point-in-time threat models generate, particularly in the context of rapid or continuous development strategies. Too often, point-in-time security requirements that are never adjusted for subsequent learnings and changes result in requirements that have not, cannot, will never be implemented as specified. That's a loss for everyone involved.
If you prefer to say "shift left," then by all means, let secure design tasks "shift right" as well. I think of SDL security tasks as "continuous":
■ Give developers the tools they need to check code for coding mistakes.
■ Threat model throughout structure and design changes.
■ Have penetration testing prove security requirements and assumptions, enabling an organic feedback to revise requirements and assumptions.
Above all else, break down artificial role barriers that slow us down and obscure shared responsibilities.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
